Understanding CyberThreats to Your Organization: An Update from Stacey Wright

Is there ever a week where there isn’t a report of a hacking? Some major corporation being infiltrated or their social media accounts hijacked?

The news stories we typically see are about big companies: Target. Sony. HBO.

But thousands of smaller, unknown businesses face very real cyber challenges every day.

And so do government and law enforcement agencies.

If you are concerned about the cyberthreats facing your justice-related organization, or are responsible for its cyber protections, then be sure to join this recorded webinar, when Stacey Wright from the Center for Internet Security shares her half-yearly update with the JCH community about:

The changing and emerging cyber threats local and regional government law enforcement organizations should be aware of.

Profiling the cybercriminals?

The tactics this unique type of criminal uses.

And, what should LEOs need to know to combat these perpetrators and protect their own organizations?

Justice Clearinghouse Editors (JCH): The U.S. Department of Homeland Security (DHS) has designated the Multi-State Information Sharing and Analysis Center (MS-ISAC) as the key cybersecurity resource for the nation’s state, local, tribal and territorial (SLTT) governments and previously you’ve talked with us about tracking the ever-changing world of cyber threats against SLTT governments. Understanding that you are careful about you can share over the open Internet due to your own security practices, can you help the justice community understand how you ‘track’ these threat trends?

Stacey: We’re lucky enough to have several techniques that help us track how the threats are changing. Probably the most helpful one is our members themselves. Membership in the MS-ISAC is always voluntary for an SLTT government, but our members do call us when they come across something unusual or want a second opinion because they know that chances are we’ve got experience in whatever they’re dealing with. That gives us the ability to work with them confidentially while gathering information on threats and trends that we can anonymously share the with the rest of the membership for everyone’s benefit. We also run a Computer Emergency Response Team (CERT) that provides forensic and other services for free when incidents happen, which results in us gaining additional insight into the threat trends.

In addition, we have intrusion detection or prevention sensors deployed in almost every state and territorial government as well as multiple local governments and critical infrastructure entities. So quite literally, every day we send hundreds of alerts out to our members warning them of suspicious activity that they investigate and remediate. All of this information is combined with the member reporting, our Internet and open source monitoring, and the information from other cybersecurity firms and federal agencies, to provide us with a very unique insight into the threats and patterns our SLTT government members are seeing.

JCH: For those of us who may not be as familiar with cybercrime to the level of detail you are, how much do cyberthreats really change over time?

Stacey: They are both constantly changing at the micro-level and somewhat static at the big picture level. Think about it like street gangs. We’ve had street gangs as a major law enforcement concern for decades and many of the problems associated with street gangs, such as violence, remain much the same over time. At a more micro level, the actual gangs in a particular neighborhood can change over time, and sometimes the gangs commit new crimes. For instance, we’re seeing street gangs move into identity theft. However, at a very micro level change happens constantly as the people, symbology, slang, and even telephone numbers they use shift.

Cyber works much the same way. Most of the tactics, techniques, and procedures (TTPs) remain very similar at a high level. For instance, malware and distributed denial of service attacks are very common and have been for years. But the authors of the malware change and as that happens the malware itself changes what it does. For the last two years, the “big bad” was ransomware. Ransomware is malware that tries to prevent access to a computer or files and demands a ransom in exchange for releasing the computer or files. For the most part this is an opportunistic threat, meaning that it infects computers randomly, and that means that police, fire, and 9-1-1 departments, court systems, and countless others have been victims. What has changed is exactly what happens during an infection. For instance, the method a computer is infected has changed from infections through spam emails to infections through malvertising and now we’ve swung back to infections through spam. Once a computer is infected with ransomware many different things can happen – most of the time files are encrypted and a ransom is demanded but sometimes the ransomware also exfiltrates files or deletes them. Depending on the variant it might give you 72 hours to pay via Bitcoins or a different time limit and currency. So while the concept of ransomware has been static for a couple of years, at the micro level we’ve seen a lot of changes and shifts in what the particular variants of ransomware do.

JCH: What is the most important emerging, cybercrime threat all law enforcement agencies should be aware of – but may not have hit their radar screens just yet?

Stacey: I’m going to give you two different answers here. As I will talk about in detail during the webinar, there’s a strong focus on the Business Email Compromise or BEC scam this year. That’s because we know it to be responsible for billions of dollars in attempted losses. There are several variants of the BEC scam, but the basic concept is that the criminals send an email to either the HR or Finance Department of a potential victim in an attempt to trick the victim into sending a wire transfer or tax information to the criminal. This email can be from the compromised email account of another employee or be spoofed, or made to look like it came from the email account of another employee. This scam is important to know and recognize because the victims aren’t just private companies, but also state, local, tribal, and territorial governments.

The other thing I want to mention is how we keep talking about cyber-this and cyber-that. We need to move past treating cybercrime as something different than traditional crime. The line between cyber and non-cyber crimes is gray and fuzzy at best. For instance, if a burglar uses Facebook to trick people out of their home so he can gain access, was that a crime or cyber crime? If a car thief uses a computer to break into a car, was that a crime or cyber crime? If a criminal breaks into a business, adds their name to the company payroll, and then steals some stuff to cover up the real purpose of the B&E, was that a crime or cyber crime? If the local coffee shop has malware on their register that steals everyone’s credit card numbers or steals the shop’s Bitcoins, were those crimes or cyber crimes? Perhaps these questions would be bettered asked as “when” because we’re seeing all this and more happen. So, I would offer, one of the most emerging threats that departments need to consider is how they are going to respond to crimes that have a cyber component and fall into this gray area where the crime might involve a computer intrusion as a component of a “real world” crime.

~~~~~

…We keep talking about cyber-this and cyber-that.

We need to move past treating cybercrime as something different than traditional crime.

The line between cyber and non-cyber crimes is gray and fuzzy at best.

~~~~~

JCH: Let’s apply this to a real situation: what are the first immediate steps any organization – a local area community organization, or a government agency, etc – should do the minute they realize they’ve been hacked, or become a victim?

Stacey: There’s never just one first step because unfortunately, the best response can depend on what you are the victim of. If you’re the victim of ransomware, pull the computer offline but do not turn it off. That will, in most cases, help limit the damage.

If you’re the victim of the BEC scam, immediately call the bank or financial institution where the money was transferred and recall on the transfer. If you act quickly, it’s sometimes possible to stop the transfer. If you’re worried that your network was breached and someone is inside your network, pull the network off the Internet, but again, don’t shut anything down because you can lose valuable evidence that way.

And of course, an easy answer is to call the MS-ISAC. We’re a free resource around 24×7 to help SLTT governments deal with problems just like these. As I say when I talk with SLTT governments in person, I may grumble a bit if our Security Operations Center calls me at 2AM so I can help someone, but that’s also my job and like all of us here, I believe in what we do, so I will answer my phone. Even at 2AM.

JCH: How prepared do you think organizations are in terms of preventing becoming the victim of a cybercrime?

Stacey: Unfortunately, not as prepared as they should be. I go to several law enforcement and first responder conferences throughout the year and the cyber sessions are always under-attended. This can be a technical topic and I feel like it can quickly be overwhelming but rather than leaving it there, let me give you a couple of easy, simple steps you can take to be more prepared.

First, designate someone in the department to be responsible for learning more about and improving your cybersecurity. Second, if you don’t have your own domain name and official email accounts, get those. It doesn’t matter if you use your town’s domain or have one just for your department, what matters is having an official email address because many of the folks who can help you are restricted to sending information to official email accounts.

Then make sure every computer is running up-to-date software that has the latest patches. This simple step, which you can mostly automate, will go far in protecting your network. In addition, buy, install, and keep up-to-date good antivirus software. Backup your system and files so that if something goes wrong you can recover. And finally, take some time to train your staff. Help them to understand they shouldn’t open every email or click on every link. Teach your HR and finance departments about the BEC scam so they will recognize and report it.

Obviously, this is just a starting point and I’ll mention some other recommendations and resources, like the Center for Internet Security’s Critical Security Controls, during my presentation.

JCH: You’ve been working in and around the Cybercrime arena for many years. What drew you to this particular area of justice? What keeps you motivated and engaged each day?

Stacey: Law enforcement and justice has always been a passion of mine, and while I’m not going to admit exactly how many years I’ve been in this field, I will say that I was a Criminal Justice major in college. From there things just kind of lined up for me. It seems like every day I go into work and there is something new to learn or do and here I am years later. This probably makes me sound like a nerd but I still get a rush when I find a new pattern that I can warn people about or when I talk with someone and see them start to understand how it works and that cyber isn’t nearly as complex as they think.

JCH: We have members from all parts of the justice arena. Can you share some specifics of what different types of justice professionals or first responders will gain by attending your webinar? What skills or new knowledge will they gain that they can immediately use the next day on the job?

Stacey: I’d offer two things that everyone should be able to take away – information on the top threats and some best practices for preventing them. During this webinar, I’ll be doing my best to not just tell you what today’s top threats are to state, local, tribal, and territorial governments, but explaining what they really mean. I won’t go through as many threats as I normally cover in a technical presentation, but instead, I’ll be doing my best to be less technical and help everyone walk away with a better understanding of the top few threats. And then like we talked about very briefly here, I’ll also be providing some concrete, simple recommendations for how you can improve your department’s cybersecurity, regardless of how large, small, or technically advanced your department is.